In cellular networks such as, for example, GSM (Global System for Mobile communications) networks, some security features such as the choice of ciphering algorithm in the communication between user terminals and the network are negotiated between the user terminal and the network, depending on the capabilities of the particular terminal and the network.
There is a natural desire to increase the security of the negotiation procedure between a user terminal and the network in order to prevent potential attackers from “hijacking” the negotiation and ordering the user terminal to use a less than optimal ciphering algorithm. A scenario in which an attacker “tricks” the terminal and the network into using less than optimal security is known as a “bidding-down attack”, and is often very difficult to protect against. Increased security should not come at too high a cost, i.e. involving large changes to the communication flows between terminal and network.
One reason that bidding-down attacks in connection with the negotiation procedure are difficult to handle is that it should be possible to use an enhanced security during the negotiation, whilst at the same time keeping the ability to use older user terminals in the network, i.e. user terminals which might not be equipped with the ability to use the enhanced security. Conversely, newer terminals, supporting negotiation which has been security-enhanced by means of, for example, ciphering or encryption, should be able to interoperate with older networks that do not support security enhanced negotiation.